List all supported CPU architectures.

Returns available architecture identifiers for the 'arch' parameter used by disassemble_hex, disassemble_file_section, etc.

Disassemble a hex-encoded byte string into assembly code.

Args: hex_code: Hex-encoded machine code bytes, e.g. "554889e5" or "55 48 89 e5" (spaces are auto-stripped). arch: CPU architecture. Use list_supported_architectures to see available values. Default: x86_64. base_address: Base address as a hex string (e.g. "0x401000"). Default: "0". max_instructions: Maximum number of instructions to disassemble. 0 means unlimited.

Returns: Formatted disassembly output with address, bytes, mnemonic and operands.

Disassemble a named section from a binary file (PE/ELF/Mach-O).

Args: file_path: Absolute path to the binary file. section_name: Section name to disassemble. Default: ".text". arch: CPU architecture. Auto-detected from file header if omitted. max_instructions: Maximum instructions to disassemble. Default: 200. Set 0 for unlimited.

Returns: Disassembly output for the section, including file metadata.

Disassemble code at a specific virtual address in a binary file.

Args: file_path: Absolute path to the binary file. virtual_address: Starting virtual address as hex string (e.g. "0x401000"). size: Number of bytes to read. Default: 256. arch: CPU architecture. Auto-detected if omitted. max_instructions: Maximum instructions to disassemble. Default: 50.

Returns: Disassembly output at the specified address.

Get detailed metadata of a binary file (PE/ELF/Mach-O).

Includes file format, architecture, entrypoint, section list, imports/exports, etc.

Args: file_path: Absolute path to the binary file.

Returns: File metadata in JSON format.

Search for instructions matching a specific pattern in disassembled code.

Filter by mnemonic name or instruction group (call/jump/ret/interrupt).

Args: hex_code: Hex-encoded machine code bytes. arch: CPU architecture. Default: x86_64. base_address: Base address. Default: "0". mnemonic: Mnemonic to search for (partial match), e.g. "mov", "call", "push". group: Instruction group to filter: call, jump, ret, interrupt.

Returns: List of matching instructions.

Search for instructions matching a pattern in a binary file's section.

Args: file_path: Absolute path to the binary file. section_name: Section name. Default: ".text". arch: CPU architecture. Auto-detected if omitted. mnemonic: Mnemonic to search for (partial match). group: Instruction group to filter: call, jump, ret, interrupt.

Returns: List of matching instructions.

Perform control flow analysis on machine code, identifying basic blocks, jumps, calls and returns.

Args: hex_code: Hex-encoded machine code bytes. arch: CPU architecture. Default: x86_64. base_address: Base address. Default: "0".

Returns: JSON-formatted control flow analysis with basic blocks, edges, calls and return info.

Find all cross-references to a target address in hex-encoded machine code.

Searches for call, jump, immediate value, and memory displacement references to the specified target address.

Args: hex_code: Hex-encoded machine code bytes. target_address: Target address to find references to (hex string, e.g. "0x401000"). arch: CPU architecture. Default: x86_64. base_address: Base address. Default: "0".

Returns: List of cross-references with source address, type, and instruction.

Find all cross-references to a target address in a binary file's section.

Scans the specified section for all instructions that reference the target address via call, jump, immediate operand, or memory displacement.

Args: file_path: Absolute path to the binary file. target_address: Target address to find references to (hex string, e.g. "0x401000"). section_name: Section to scan. Default: ".text". arch: CPU architecture. Auto-detected if omitted.

Returns: List of cross-references with source address, type, and instruction.

Disassemble code at the binary file's entrypoint.

Automatically locates the entrypoint address and disassembles from there.

Args: file_path: Absolute path to the binary file. size: Number of bytes to read from the entrypoint. Default: 512. arch: CPU architecture. Auto-detected if omitted. max_instructions: Maximum instructions to disassemble. Default: 100.

Returns: Disassembly output at the entrypoint.

Read raw bytes at a file offset and disassemble them.

Unlike disassemble_at_address, this uses a raw file offset instead of a virtual address.

Args: file_path: Absolute path to the file (any file, not limited to PE/ELF). offset: File offset as hex string (e.g. "0x400"). size: Number of bytes to read. Default: 256. arch: CPU architecture. Default: x86_64. base_address: Display base address for disassembly. Defaults to offset value. max_instructions: Maximum instructions to disassemble. Default: 50.

Returns: Disassembly output at the file offset.

Search for ROP gadgets (instruction sequences ending with ret) in hex-encoded machine code.

Used for ROP chain construction in CTF Pwn challenges.

Args: hex_code: Hex-encoded machine code bytes. arch: CPU architecture. Default: x86_64. base_address: Base address. Default: "0". max_gadget_len: Maximum number of instructions per gadget. Default: 5. max_results: Maximum number of results to return. Default: 100.

Returns: List of ROP gadgets with addresses and instruction sequences.

Search for ROP gadgets in a binary file's section.

Args: file_path: Absolute path to the binary file. section_name: Section name. Default: ".text". arch: CPU architecture. Auto-detected if omitted. max_gadget_len: Maximum instructions per gadget. Default: 5. max_results: Maximum results to return. Default: 100.

Returns: List of ROP gadgets found.

Extract readable strings from a binary file (similar to the strings command).

Args: file_path: Absolute path to the file. min_length: Minimum string length. Default: 4. encoding: Encoding type: "ascii", "utf16le", or "both" (default). max_results: Maximum results to return. Default: 300.

Returns: List of extracted strings with offset and encoding info.

Brute-force single-byte XOR decryption, ranked by printable character ratio.

Commonly used in CTF to decrypt simple XOR-encrypted flags or strings.

Args: hex_data: Hex-encoded ciphertext data. min_printable_ratio: Minimum printable character ratio threshold. Default: 0.75.

Returns: Candidate decryption results sorted by printable ratio.

XOR encode/decode data with a specified key.

Args: hex_data: Hex-encoded data. hex_key: Hex-encoded key (supports multi-byte keys, applied cyclically).

Returns: XOR result as hex output with ASCII preview.

Generate or find offset in a cyclic buffer overflow pattern (De Bruijn sequence).

Used to determine the exact EIP/RIP overwrite offset. Similar to Metasploit's pattern_create / pattern_offset.

Args: action: "create" to generate a pattern, "offset" to find an offset. value: When action="offset", the value to search for (hex like "0x41386141" or ASCII string). length: When action="create", pattern length (default 200). When action="offset", search range.

Returns: Generated pattern or offset lookup result.

Check security features of a binary file (similar to the checksec tool).

ELF: NX, PIE, RELRO, Stack Canary, FORTIFY, RPATH, Stripped PE: DEP/NX, ASLR, SEH, CFG, Authenticode Mach-O: PIE, Stack Canary, Code Signing

Args: file_path: Absolute path to the binary file.

Returns: Security feature detection results.

Analyze PLT/GOT tables (ELF) or IAT (PE) of a binary file.

PLT/GOT is the core of ELF dynamic linking and the target of GOT overwrite attacks. IAT is the PE Import Address Table, commonly used for hooking and patching.

Args: file_path: Absolute path to the binary file.

Returns: PLT/GOT or IAT analysis results in JSON format.

View file contents as a formatted hex dump.

Args: file_path: Absolute path to the file. offset: Starting file offset as hex string. Default: "0". length: Number of bytes to display. Default: 256. Max: 4096.

Returns: Formatted hex dump with address, hex values, and ASCII display.

Scan a binary file for known cryptographic algorithm constants and signatures.

Detects: AES S-Box, SHA-256, SHA-1, MD5, DES, RC4, Blowfish, TEA/XTEA, CRC32, Base64 alphabet, and common file format signatures.

Args: file_path: Absolute path to the file.

Returns: List of detected crypto constants.

Comprehensively analyze shellcode: disassembly + pattern detection + statistics.

Detects NOP sleds, syscalls, common shellcode jump patterns, null bytes, etc.

Args: hex_code: Hex-encoded shellcode. arch: CPU architecture. Default: x86_64. base_address: Base address. Default: "0".

Returns: JSON-formatted shellcode analysis results.

Look up Linux system call information.

Supports lookup by number or name (partial match).

Args: query: Syscall number (e.g. "59") or name (e.g. "execve", supports partial match). platform: Platform: x86, x86_64/x64, arm/arm32, arm64/aarch64. Default: x86_64.

Returns: Matching syscall info including number, name, and arguments.

List all system calls for a given platform.

Args: platform: Platform: x86, x86_64/x64, arm/arm32, arm64/aarch64. Default: x86_64.

Returns: Complete syscall table for the platform.